How Anthropic Is Scaling Supply Chain Security with Socket

About Anthropic#

Anthropic is an AI safety and research company building systems that are reliable, interpretable, and steerable. As a fast-growing organization with a commitment to security, navigating the complexities of supply chain security requires solutions that are efficient, scalable, and aligned with their growth trajectory. Socket has proven invaluable in helping Anthropic automate and scale their dependency dependency review process.

The Challenge#

For Ziyad Edher, an engineer at Anthropic, managing the security of dependencies in an ever-expanding codebase was becoming a time-consuming challenge. Before collaborating with Socket, Anthropic relied on manual dependency reviews to ensure every open source package met their strict security standards. This approach didn't scale as the team and infrastructure grew.

"We were spending 15 minutes per dependency, reviewing 5 to 10 dependencies a day," Ziyad said. "As we grew, this quickly became unsustainable.

"Researchers need to do research. Engineers building infrastructure need to bring in new dependencies as part of their work."

Ziyad said dependency updates were also a concern, which added to how quickly manual review for every update became an unsustainable practice.

"Socket came in to handle much of the manual work, giving us greater confidence with standardized checks we could rely on," Ziyad said. "This eliminated the need to build those solutions in-house."

"There are also intangible benefits—Socket is likely much better than me manually reviewing the seventh dependency of the day. The detections continue to improve autonomously, and it has been invaluable for us as we scale."

Key Challenges:

• Time-intensive manual reviews: Engineers spent hours each week vetting dependencies.
• Research and development delays: Manual processes slowed researchers’ ability to quickly integrate new tools and libraries.
• Difficulty scaling: As the company grew, the volume of dependencies outpaced the team’s capacity to manage them manually.

The Solution: Automating Dependency Security with Socket#

Anthropic integrated Socket’s API into their dependency approval pipeline. Socket automated the review process by analyzing dependencies, scoring their security, and flagging any issues for manual review only when necessary.

How It Works:

1. Developers request a new package using Anthropic’s internal tooling.
2. Socket evaluates the package, returning scores based on predefined thresholds.
3. Packages meeting the thresholds are automatically approved, while others are flagged for manual review.

"We’re now unblocking researchers and engineers much faster, creating a cascading effect," Ziyad said. "People can conduct research and build more quickly while having greater confidence that they’re not making mistakes, thanks to Socket's automated checks in place."

Why Socket?#

Key factors in Anthropic’s decision to use Socket for their security solution included:

1. Advanced Detections:
   Socket’s intelligent scoring system offered deeper insights into dependency risks, reducing the need for manual intervention.
2. Ease of Integration:
   Socket’s API seamlessly integrated into Anthropic’s existing workflows, ensuring a smooth transition without disrupting developers.
3. Scalability and Partnership:
   Socket’s proactive improvements and responsive support gave Anthropic confidence in its ability to grow with their needs.

Results: A 95% Reduction in Time Spent Manually Reviewing Dependencies#

Since implementing Socket, Anthropic has seen improvements in efficiency and scalability. The manual review process, once a bottleneck for the team, has been almost entirely eliminated, with a 95% reduction in the need for hands-on scrutiny of dependencies. This shift has freed engineers to focus on higher-priority initiatives, allowing them to dedicate their time to more impactful work rather than repetitive, time-consuming tasks.

On average, security engineers are saving over five hours each week thanks to Socket’s automation capabilities. This regained time has not only increased individual productivity but also empowered the team to address broader organizational goals. Additionally, the automated approval process has reduced delays for researchers, enabling them to quickly integrate new tools and dependencies. By accelerating these workflows, Socket has allowed Anthropic’s teams to maintain their rigorous security standards while continuing to innovate at speed.